Bluvoyix
CVE-2026-22240
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
AnalysisAI
Bluvoyix stores user passwords in plaintext and exposes them through unauthenticated APIs, allowing remote attackers to retrieve credentials without authentication and gain administrative access to customer accounts. This high-severity vulnerability affects all users of the platform and could lead to complete compromise of customer data, with no patch currently available.
Technical ContextAI
Classified as CWE-200 (Information Exposure). Affects Bluvoyix. The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
BLUVOYIX exposes internal API documentation publicly, allowing attackers to discover and abuse internal functionality.
BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.
BLUVOYIX platform has unauthenticated API access allowing full customer data extraction and platform compromise.
BLUVOYIX's email sending API contains design flaws that permit unauthenticated attackers to send arbitrary emails on beh
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today